I have an odd problem with my zimbra mail server.
I run Zimbra 8.8.9 colaboration on Ubuntu server 16.04.
I have noticed that the dkim validation of email sent from my domains to my domains fails becouse of DNS SERVFAIL due to timeout queryng the domainkey.
So I have tried to query the domainkey with dig trought various public dns from my mail server and effectively i have allways a timeout.
So I have tried the same query from another ubuntu server on another network and from and uninvention server and I still had the same result.
If I run the same query from centos server or any windows server (nslookup) i get the correct answer from dns servers.
Do you have the same problem?
How can I fix this?
Is it possible to generate a shorter domainkey selector in zimbra as workaround?
EDIT:
it seems that the problem happen only to machines behind a cisco asa 5510 firewall and that it is sistem indipendent. But also by disabling the firewall the problem persist
EDIT2:
I'm sorry, I forgot to mention that by querying a dns record that is shorter than those generated by zimbra everything works properly from any machine
domainkey selector too long?
domainkey selector too long?
Last edited by luca_2186 on Wed Feb 13, 2019 7:36 pm, edited 1 time in total.
- L. Mark Stone
- Ambassador
- Posts: 2802
- Joined: Wed Oct 09, 2013 11:35 am
- Location: Portland, Maine, US
- ZCS/ZD Version: 10.0.7 Network Edition
- Contact:
Re: domainkey selector too long?
Sounds like your domain's DNS servers are taking too long to respond to queries.
Maybe I'm not fully understanding the issue?
Maybe I'm not fully understanding the issue?
___________________________________
L. Mark Stone
Mission Critical Email - Zimbra VAR/BSP/Training Partner https://www.missioncriticalemail.com/
AWS Certified Solutions Architect-Associate
L. Mark Stone
Mission Critical Email - Zimbra VAR/BSP/Training Partner https://www.missioncriticalemail.com/
AWS Certified Solutions Architect-Associate
Re: domainkey selector too long?
I have found the problem by analizing the firewall log.
By default the max allowed upd packet size in dns reply is 512 byte and i had to rise this value to make all things works.
The value of 512 bytes seems to be a common default value in many firewall becuse it is RFC 1035 standard.
It seems that the selectors generated by zimbra, due to their lenght, generates an answer of 518 bytes (I haven't really understood how those things are related).
I think that this is an important thing to know becouse probably many mail server that use a firewall may fail dmarc authentication for mails coming from a zimbra server for this reason.
Zimbra devlopers should consider seriously to change the lenght of the domainkey selector.
How can I change the selector manually?
By default the max allowed upd packet size in dns reply is 512 byte and i had to rise this value to make all things works.
The value of 512 bytes seems to be a common default value in many firewall becuse it is RFC 1035 standard.
It seems that the selectors generated by zimbra, due to their lenght, generates an answer of 518 bytes (I haven't really understood how those things are related).
I think that this is an important thing to know becouse probably many mail server that use a firewall may fail dmarc authentication for mails coming from a zimbra server for this reason.
Zimbra devlopers should consider seriously to change the lenght of the domainkey selector.
How can I change the selector manually?
- ccelis5215
- Outstanding Member
- Posts: 632
- Joined: Sat Sep 13, 2014 2:04 am
- Location: Caracas - Venezuela
- ZCS/ZD Version: 8.8.15.GA.3869.UBUNTU18.64 P12
Re: domainkey selector too long?
Tryluca_2186 wrote:I have found the problem by analizing the firewall log.
By default the max allowed upd packet size in dns reply is 512 byte and i had to rise this value to make all things works.
The value of 512 bytes seems to be a common default value in many firewall becuse it is RFC 1035 standard.
It seems that the selectors generated by zimbra, due to their lenght, generates an answer of 518 bytes (I haven't really understood how those things are related).
I think that this is an important thing to know becouse probably many mail server that use a firewall may fail dmarc authentication for mails coming from a zimbra server for this reason.
Zimbra devlopers should consider seriously to change the lenght of the domainkey selector.
How can I change the selector manually?
Code: Select all
/opt/zimbra/libexec/zmdkimkeyutil -a -s yourselectsor -d domain.com
ccelis
Re: domainkey selector too long?
Thanks, but -a will also change the key pair, isn't there and easy way to change only the selector?ccelis5215 wrote: Tryto change selector.Code: Select all
/opt/zimbra/libexec/zmdkimkeyutil -a -s yourselectsor -d domain.com
- ccelis5215
- Outstanding Member
- Posts: 632
- Joined: Sat Sep 13, 2014 2:04 am
- Location: Caracas - Venezuela
- ZCS/ZD Version: 8.8.15.GA.3869.UBUNTU18.64 P12
Re: domainkey selector too long?
luca_2186 wrote:Thanks, but -a will also change the key pair, isn't there and easy way to change only the selector?ccelis5215 wrote: Tryto change selector.Code: Select all
/opt/zimbra/libexec/zmdkimkeyutil -a -s yourselectsor -d domain.com
Code: Select all
/opt/zimbra/libexec/zmdkimkeyutil -u -s newselector -d domain.com
ccelis
Re: domainkey selector too long?
Unfortunately this command changed also the kay pair, not really a problem but in this way i had to change the public key in while the mail server still sending email expecting new key is already upccelis5215 wrote:to change domain selector and upgrade value.Code: Select all
/opt/zimbra/libexec/zmdkimkeyutil -u -s newselector -d domain.com